graalvm license分析

1 背景

由于graalvm的社区版本整体是作为GPLV2发布，希望了解graalvm的详细license情况，确定是否有开源风险。

2 入口资料

2.1 官网介绍

https://www.graalvm.org/faq/ 有专门的说明。

GraalVM Community Edition is open source software built from the sources available on GitHub and distributed under version 2 of the GNU General Public License with the “Classpath” Exception, which are the same terms as for Java. We also recommend checking the licenses of the individual GraalVM components (which are generally derivative of the license of a particular language). GraalVM Community is free to use for any purpose and comes with no strings attached, but also no guarantees or support.

这里有几个主要的信息点：
1 社区版本整体为GPLV2 with “Classpath” Exception，与 JAVA的jdk一样(可参考http://openjdk.java.net/legal/exception-modules-2007-05-08.html 这里的说明，整个openjdk都是有例外的，不会因为链接而传染)；
2 社区版本不限制用途(可以商用)，也不会要求特殊的回报（当然也没有质量保证和技术支持保证）；
3 每一个componets有不同的license

2.2 发布包和代码中的LICENSE文件

oracle提供的graalvm社区版本下载包(20.1.0版本)中有LICENSE文件对各个组件做了粗略说明。

          Product License  - GraalVM Community Edition

GraalVM Community Edition consists of multiple modules. The software as a
whole, is released under version 2 of the GNU General Public License with the
“Classpath” Exception. Certain modules of GraalVM Community Edition are released
under separate and/or additional licenses, as follows: Graal.js and Graal
Node.js are released under the Universal Permissive License (UPL) Version 1.0;
Sulong – LLVM is released under a 3-clause BSD license.

The text of the foregoing licenses is reproduced below.

Copyright (c) 2015, 2019, Oracle and/or its affiliates. All rights reserved.

其中有一些没有提及的组件，从https://github.com/oracle/graal 下载源代码。
查看README.md文件，其中有如下说明。
Each GraalVM component is licensed:

• Truffle Framework and its dependency GraalVM SDK are licensed under the Universal Permissive License.
• Tools project is licensed under the GPL 2 with Classpath exception.
• TRegex project is licensed under the Universal Permissive License.
• GraalVM compiler is licensed under the GPL 2 with Classpath exception.
• Substrate VM is licensed under the GPL 2 with Classpath exception.
• Sulong is licensed under 3-clause BSD.
• GraalWasm is licensed under the Universal Permissive License.
• VM is licensed under the GPL 2 with Classpath exception.
• VS Code extensions are distributed under the UPL 1.0 license.

进一步验证LICENSE整体说明，可以在代码仓库中用如下的脚本命令：

for x in `grep  "designates" ./ -RI -L |grep '\.java'| grep -v generated |grep -v /test/ |grep -v \.class` ; do grep 'GENERATED CONTENT - DO NOT EDIT' $x -L ; done

3 license影响分析

graalvm社区版本使整体是GPLV2 with classpath exception， 本次分析开源license的主要目的是：识别代码被传染开源的风险 和 专利纠纷的风险。

3.1 传染性分析

3.1.1 Graal架构分析

为了明确graal的license会对用户代码产生何种影响，需要对其架构进行基础的分析。从其官方介绍中摘抄架构并标注如下。

3.1.2 传染性分析结论

参考如上节的架构图，graalvm底层部分由于有多个GPLV2的组件，毫无疑问compiler/vm部分的改进代码肯定需要开源。
但是，由于compiler/vm与上层的js/java代码不直接链接，而是数据处理的关系，所以上层的代码无需开源。
我们需要保护的资产绝大部分在上层的js/java代码中，graalvm的GPL传染风险不大。

3.2 专利纠纷分析

参考上一部分的架构图，目前关心的组件主要有GPLV2(compiler/vm)、UPL(truffle/js)和BSD(sulong)三种协议。下面逐一进行分析。

3.2.1 GPLV2协议分析

GPLV2没有针对patent做专门说明，但是提到了两点：

6. Each time you redistribute the Program (or any work based on the Program), the recipient automatically receives a license from the original licensor to copy, distribute or modify the Program subject to these terms and conditions. You may not impose any further restrictions on the recipients’ exercise of the rights granted herein. You are not responsible for enforcing compliance by third parties to this License.

7. If, as a consequence of a court judgment or allegation of patent infringement or for any other reason (not limited to patent issues), conditions are imposed on you (whether by court order, agreement or otherwise) that contradict the conditions of this License, they do not excuse you from the conditions of this License. If you cannot distribute so as to satisfy simultaneously your obligations under this License and any other pertinent obligations, then as a consequence you may not distribute the Program at all. For example, if a patent license would not permit royalty-free redistribution of the Program by all those who receive copies directly or indirectly through you, then the only way you could satisfy both it and this License would be to refrain entirely from distribution of the Program.

也即：如果有专利问题，则不能进行gpl软件发布。
整体来说，这免除了我们与GPLV2软件所有者产生专利纠纷的风险。但是第三方专利纠纷的风险仍然存在，例如A发布了GPL软件X，我们使用了X，第三方声称X侵犯了其专利，则我们和A都需要承担专利侵权的损失。

3.2.2 UPL协议分析

参考https://oss.oracle.com/licenses/upl/， UPL是非常开放友好的开源协议。
The most important features and things to understand about the UPL are the following:

• Clear patent protection. The UPL is a broad permissive license including both a copyright license and an express patent license, covering at least a version licensed by someone under the license (for example a distributor) and/or a version someone contributed to even if they never distribute the whole. (The reason the latter is needed is discussed below.) By virtue of the unambiguous patent license, the UPL is materially clearer with respect to the rights licensed and likely broader than either the MIT or BSD licenses.
• Clear & simplified relicensing. The UPL expressly permits sublicensing under either the UPL or under other terms, which clearly allows someone to relicense code received under the UPL either on copyleft terms, on proprietary terms, or otherwise, thus permitting maximum flexibility in reuse.
• Reduced overhead in source files. The UPL expressly permits use of the license without including a full copy of the text, which is useful for JavaScript or other cases where minimizing space consumed by licenses is desired - see below for our recommendation of how to apply the license or include proper attribution without the full text.
• It can be used as a contributor agreement. Finally, the UPL may be used as a contributor license agreement licensing both the software itself and also contributor patents for use in one or more “Larger Works.” The Larger Works licensed in this fashion are designated by the use of a separate file accompanying the license, akin to the NOTICE file that accompanies the Apache License, Version 2.0. The Larger Works file can be used to control for both contributions to other works (for example, we could specify MySQL in a Larger Works file for a work, which would then license contributor patents for MySQL as well as the contribution), to set patent license scope for specific versions (for example, we could specify the approved reference implementation of JSR-xxx including Maintenance Releases to ensure that all contributors to an RI are licensing both the final version of the RI and qualified updates under the JCP program), or both.
  总结来说，UPL不仅允许任意重用代码(包括商业使用)，而且明确提供了专利授权和保护，法律风险非常低。

3.2.3 3-Clause BSD协议分析

BSD协议非常简单和自由，基本上没有对使用者做用途上的约束。
但是BSD协议没有提供任何专利方面的保护，产生专利纠纷的可能性要远高于前面的UPL和GPL。
这部分只能依靠graal项目的所有者oracle提供保护（当然，原理上oracle也可以作为原告。。。）。

4 总结

4.1 协议分析结论

总体来看graalvm的开源传染风险与openjdk项目类似，作为核心资产的上层代码不会被传染开源。
专利方面，如果不使用sulong项目(接入llvm-ir的前端，主要用于接入c/c++/rust等静态语言)，专利纠纷风险不大。

4.2 后续风险讨论

对开源软件来说，分析代码所有者和所有者的意图，其实要比开源协议本身更加重要，因为代码所有者随时有权调整协议。
从oralce当前的安排来看，graalvm将使用与openjdk类似的盈利策略。社区版使用GPL协议开放核心功能(并且通过classpath exception确保不传染用户的代码)，商业版本提供更高的性能和更好的支持获取利润(商业版本授权非常昂贵，以cpu数计费，每月单个cpu接近20美元，参考https://www.oracle.com/ng/a/ocom/docs/corporate/pricing/graalvm-price-list.pdf)。
这套运行策略在openjdk上已经运行较长时间，预期oracle会保护并支持graal项目基于该模式发展。
如果oracle 对该模式提供保护，事实上无论GPL传染风险(oralce不会故意去传染用户代码，破坏这种运作模式)和专利纠纷(oracle不会作为专利原告，并且会为bsd协议的组件提供保护)的风险都是非常小的。